[arch-general] Stronger Hashes for PKGBUILDs

NicoHood archlinux at nicohood.de
Thu Dec 8 13:52:20 UTC 2016


On 12/08/2016 01:34 AM, Allan McRae wrote:
> On 08/12/16 08:51, sivmu wrote:
>> Am 07.12.2016 um 10:49 schrieb Allan McRae:
>>>> ...
>>>> I advocate keeping md5sum as the default because it is broken.  If I see
>>>> someone purely verifying their sources using md5sum in a PKGBUILD (and
>>>> not pgp signature), I know that they have done nothing to actually
>>>> verify the source themselves.
>>>> ...
>> That is a very dangerous assumtion. I know for a fact that many
>> maintainers used md5 for verification because it is the default.
>> There are/were maintainers that downloaded the source, verified the pgp
>> signature and generated the md5 checksum to include it in the PKGBUILD
>> (without the pgp signature)
> 
> Idiots...  so again using md5sums as the default saves me from people
> who don't know how to package.
> 
> A
> 

Calling those idiots is not the way to solve this problem. The fact is
that if we use a (strong) hash and multiple people compare their hash
against that, we can ensure that everyone downloads the same sources.

Setting the default to sha512sums helps in more cases than using md5 as
"bad karma" flag does. Did it ever help you that you saw someone using
md5? Or wouldn't it be better to guide them into the right direction by
a) using sha512sums as default and b) adding a warning when no https and
gpg is used?

I think we should at least implement those warnings, no matter what hash
we use. Our main goal is to have every sources signed with gpg and
downloaded by https.

Is there any voting system that we have so that we can also
democratically vote for stronger hashes? It seems to me that the
majority (who spoke up on the list) is for stronger hashes. All
technical facts have been said and we should come to a final agreement now.

~Nico

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20161208/31701c7a/attachment.asc>


More information about the arch-general mailing list